security issue about expose file directory

[c676228]

Hi all,

If in an ASP program, I need to display a pdf file link for users to print
and read. Is there any security issue? We are thinking about doing this is
many mail servers block emails with pdf file attachment. We just try to give
an opportunity to users to print the document themselves instead of
completely depending on email delivery.

Thank you.

 

[Evertjan.]

=?Utf-8?B?YzY3NjIyOA==?= wrote on 31 jan 2007 in
microsoft.public.inetserver.asp.general:

If in an ASP program, I need to display a pdf file link for users to
print and read. Is there any security issue? We are thinking about
doing this is many mail servers block emails with pdf file attachment.
We just try to give an opportunity to users to print the document
themselves instead of completely depending on email delivery.

You van just put the pdf file on the website, and as long as your users do
not divulge the address, it is safe, just as safe as if you send them the
file and they can send it to anyone other.

You could put the file behind a password, using ASP.

Showing the content of a directory is not necessary at all.
You can place a dummy index.asp or switch the IIS to no show.

 

[c676228]

Hi Evertjan,
The pdf file is unique to every user who purchased on our web iste. So it is
not a generice pdf file. Could you explain a little more "Showing the content
of a directory is not necessary at all.

You can place a dummy index.asp or switch the IIS to no show." I don't get it yet.

Thank you.

 

[Evertjan.]

=?Utf-8?B?YzY3NjIyOA==?= wrote on 31 jan 2007 in
microsoft.public.inetserver.asp.general:

[Please do not toppost on usenet]

The pdf file is unique to every user who purchased on our web iste. So
it is not a generice pdf file.

That does not matter, if the pdf file has a location in one of your web
directories, it can be reached from the web if you tell your customer where
it is in a link you sent him.

Could you explain a little more
"Showing the content of a directory is not necessary at all.

Why would it be necessary? Why would you plan to show it?

 

[Anthony Jones]

Hi Evertjan,
The pdf file is unique to every user who purchased on our web iste. So it is
not a generice pdf file. Could you explain a little more "Showing the content
of a directory is not necessary at all. get it yet.

Is it important to restrict users to seeing only their reports and not
others?

I'll guess yes.

In that case you definitely will not want to give directory browsing to the
users.

Do these users receiving the email have a username and password they need to
use to access the web site?

If so then email them a link which requires them to enter their username and
password before redirecting to the PDF.

If not then email then some form of security can be acheived by incluing a
GUID in the a link to the PDF.

Anthony.

 

[Evertjan.]

Anthony Jones wrote on 01 feb 2007 in
microsoft.public.inetserver.asp.general:

Is it important to restrict users to seeing only their reports and not
others?

I'll guess yes.

In that case you definitely will not want to give directory browsing
to the users.

Do these users receiving the email have a username and password they
need to use to access the web site?

If so then email them a link which requires them to enter their
username and password before redirecting to the PDF.

If not then email then some form of security can be acheived by
incluing a GUID in the a link to the PDF.

A fairly safe way is to use a use-once-web-address.

So the client giving away the address would not be very usefull.

How?

Make an ASP file with an unique name, like
http://domain.xyz/useoncedir/user+password+thepdfname.asp
Program it to download the pdf using a bitstream,
and immediately, or after a fixed time, say 10 minutes,
delete that asp file. The pdf location is kept secret.

The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/
so that the asp file does not have to exist,
and the virtual asp file could even be named:
http://domain.xyz/useoncedir/user+password+thepdfname.pdf

 

[Anthony Jones]

Anthony Jones wrote on 01 feb 2007 in
microsoft.public.inetserver.asp.general:


A fairly safe way is to use a use-once-web-address.

So the client giving away the address would not be very usefull.

How?

Make an ASP file with an unique name, like
http://domain.xyz/useoncedir/user+password+thepdfname.asp
Program it to download the pdf using a bitstream,
and immediately, or after a fixed time, say 10 minutes,
delete that asp file. The pdf location is kept secret.

The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/
so that the asp file does not have to exist,
and the virtual asp file could even be named:
http://domain.xyz/useoncedir/user+password+thepdfname.pdf

One Caveat, I would not send out URL in an email that include the users
name and password. Use a GUID it's unique.

If there is an additonal requirement that we don't want the user to view the
content and then later view it again (or give the URL to someone else to
view which seems a bit draconian to me) then you can still use an ASP file
to deliver the content but limit the time the content can be view after
first use. There is not need of a 404 trick though put the GUID in the
query string to a single ASP page.

 

[c676228]

Hi Anthony and Everjan,
Thank you both for the ideas. I did use GUID to display a unique pdf to a
customer.
In order to hide the real pdf directory,
Here I think I can use Everjan's idea: make that link temporarily and
remove that pdf after like 10- 15 min. and thus we can hide the real pdf
directory.
Can you tell me what is the best way to
"The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/"

Thank you.

 

[Dave Anderson]

Hi Anthony and Everjan,
Thank you both for the ideas. I did use GUID to display a unique pdf
to a customer.
In order to hide the real pdf directory,
Here I think I can use Everjan's idea: make that link temporarily and
remove that pdf after like 10- 15 min. and thus we can hide the real
pdf directory.
Can you tell me what is the best way to
"The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/"

Do you know how to use the IIS Management Console to assign a custom script
for 404 errors?

If so, create an empty application -- for example, /UseOnce/ -- on your
website, and assign such a script for that application. In that script,
examine Request.QueryString. It will contain the full requested URL. Now you
can parse it.

In fact, all of the desired DATA in that URL comes after the string
/UseOnce/, so you can strip everything before it out:

URL:
http://your.domain.com/UseOnce/6CA825B0-2096-43ED-94E0-8C811E45CFB2

JScript:
var Data = Request.QueryString.replace(/.*\/UseOnce\//,"")

VBScript:
Set RX = new RegExp
RX.Pattern = ".*/UseOnce/"
Data = RX.Replace(Request.QueryString,"")

In either example, the variable [Data] contains the string
"6CA825B0-2096-43ED-94E0-8C811E45CFB2". Go from there.

 

[Evertjan.]

=?Utf-8?B?YzY3NjIyOA==?= wrote on 02 feb 2007 in
microsoft.public.inetserver.asp.general:

Hi Anthony and Everjan,
Thank you both for the ideas. I did use GUID to display a unique pdf
to a customer.
In order to hide the real pdf directory,
Here I think I can use Everjan's idea: make that link temporarily and
remove that pdf after like 10- 15 min. and thus we can hide the real
pdf directory.
Can you tell me what is the best way to
"The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/"

[Please do not toppost on usenet]

In custom 404.asp,
do something like this,
[this actual code not tested debug as required]

<%
qstr = lcase(Request.ServerVariables("QUERY_STRING"))

'' this is my default picture if I have the link wrong:
if right(qstr,4)=".jpg" or right(qstr,4)=".gif" then
response.redirect "/noPicFound404.gif"
end if

if instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 then
x = instr(qstr,"/useoncedir/")+len("/useoncedir/")
once = mid(qstr,x,99)
strFileName = "/secretfile102938/" & once
strFilePath = server.mappath(strFilename)
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")

ok = false
if once = "file123.pdf" and now<#2007/02/02 23:27# then ok=true
if once = "file456.pdf" and now<#2007/02/03 20:27# then ok=true
if once = "file78A.pdf" and now<#2007/02/03 05:27# then ok=true
''' better use a database but the above is a simple form

if objFSO.FileExists(strFilePath) AND ok then
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = 1
objStream.LoadFromFile strFilePath
Response.Buffer = false
Response.ContentType = "application/pdf"
Response.AddHeader "Content-Type", "application/pdf"
Response.AddHeader "Content-Disposition","inline;filename="&once
Response.BinaryWrite objStream.Read
Response.Flush
objStream.Close
Set objStream = Nothing
else
response.write "Sorry, nonexisting file"
end if
Set objFSO = Nothing
Response.end
end if
%>
<html>
........
This is the 404 page
........
</html>

 

[c676228]

Evertjan,
Thank you so much for your detailed instruction. It's very helpful. I am
wondering why you use " if
instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 " instead of
"if instr(qstr,"http://domain.xyz:80/useoncedir/")>0", what is "404;" here
for?
When a page is request, based on your idea, what I need to do is get file
name from the query string and check the file name and timestamp in the
database, if the file exists and meet the time requirement, transfer the
file, otherwise, display an error page. Thank you.
--
Betty

=?Utf-8?B?YzY3NjIyOA==?= wrote on 02 feb 2007 in
microsoft.public.inetserver.asp.general:

Hi Anthony and Everjan,
Thank you both for the ideas. I did use GUID to display a unique pdf
to a customer.
In order to hide the real pdf directory,
Here I think I can use Everjan's idea: make that link temporarily and
remove that pdf after like 10- 15 min. and thus we can hide the real
pdf directory.
Can you tell me what is the best way to
"The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/"

[Please do not toppost on usenet]

In custom 404.asp,
do something like this,
[this actual code not tested debug as required]

<%
qstr = lcase(Request.ServerVariables("QUERY_STRING"))

'' this is my default picture if I have the link wrong:
if right(qstr,4)=".jpg" or right(qstr,4)=".gif" then
response.redirect "/noPicFound404.gif"
end if

if instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 then
x = instr(qstr,"/useoncedir/")+len("/useoncedir/")
once = mid(qstr,x,99)
strFileName = "/secretfile102938/" & once
strFilePath = server.mappath(strFilename)
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")

ok = false
if once = "file123.pdf" and now<#2007/02/02 23:27# then ok=true
if once = "file456.pdf" and now<#2007/02/03 20:27# then ok=true
if once = "file78A.pdf" and now<#2007/02/03 05:27# then ok=true
''' better use a database but the above is a simple form

if objFSO.FileExists(strFilePath) AND ok then
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = 1
objStream.LoadFromFile strFilePath
Response.Buffer = false
Response.ContentType = "application/pdf"
Response.AddHeader "Content-Type", "application/pdf"
Response.AddHeader "Content-Disposition","inline;filename="&once
Response.BinaryWrite objStream.Read
Response.Flush
objStream.Close
Set objStream = Nothing
else
response.write "Sorry, nonexisting file"
end if
Set objFSO = Nothing
Response.end
end if
%>
<html>
........
This is the 404 page
........
</html>

 

[Evertjan.]

=?Utf-8?B?YzY3NjIyOA==?= wrote on 03 feb 2007 in
microsoft.public.inetserver.asp.general:

Evertjan,
Thank you so much for your detailed instruction. It's very helpful. I
am wondering why you use " if
instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 " instead of
"if instr(qstr,"http://domain.xyz:80/useoncedir/")>0", what is "404;"
here for?
When a page is request, based on your idea, what I need to do is get
file name from the query string and check the file name and timestamp
in the database, if the file exists and meet the time requirement,
transfer the file, otherwise, display an error page. Thank you.
--
Betty

[Please do not toppost on usenet]

Dear Betty,

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet?

 

[Anthony Jones]

Evertjan,
Thank you so much for your detailed instruction. It's very helpful. I am
wondering why you use " if
instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 " instead of
"if instr(qstr,"http://domain.xyz:80/useoncedir/")>0", what is "404;" here
for?

When a 404 error occurs IIS invokes the page designated to handle 404 errors
for the folder in which it occured. When this ASP script is executed the
error code generated and full URL of the requested page is placed in the
query string.

In some cases a developer may wish to have one handler page handler several
different error codes. The developer can use this error code prefix to
determine which error invoked the page.

 

[Anthony Jones]

=?Utf-8?B?YzY3NjIyOA==?= wrote on 03 feb 2007 in
microsoft.public.inetserver.asp.general:

Evertjan,
Thank you so much for your detailed instruction. It's very helpful. I
am wondering why you use " if
instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 " instead of
"if instr(qstr,"http://domain.xyz:80/useoncedir/")>0", what is "404;"
here for?
When a page is request, based on your idea, what I need to do is get
file name from the query string and check the file name and timestamp
in the database, if the file exists and meet the time requirement,
transfer the file, otherwise, display an error page. Thank you.
--
Betty

[Please do not toppost on usenet]

Dear Betty,

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet?

In your opinion. Evidently there are plenty of others who do not agree with
you.

 

[Evertjan.]

Anthony Jones wrote on 03 feb 2007 in
microsoft.public.inetserver.asp.general:

Betty

[Please do not toppost on usenet]

Dear Betty,

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet?

In your opinion. Evidently there are plenty of others who do not
agree with you.

No matter Anthony, as you say it is my opinion, and a defendable one.

It seems you have no problem reading the above A-Q sequence, so be it.

Ignoring a polite request is another, if deliberate, with I doubt.
I don't want to condict a usenet conversation that way.

 

[c676228]

Anthony,
Thank you so much for the explanation. I got it.

 

[c676228]

Evertjan,
To tell you the truth, it took me a while to figure out what top-post means.
I saw that in one of your other posts and I searched in the dictionary or
even web, but I didn't get the information. Now I get what you mean. Sorry, I
didn't mean to do it.
Probably is my english problem. It is not my regular way to present answer
first and question next, I am not even aware I did it and still wondering...
--
Betty

Anthony Jones wrote on 03 feb 2007 in
microsoft.public.inetserver.asp.general:

Betty

[Please do not toppost on usenet]

Dear Betty,

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet?

In your opinion. Evidently there are plenty of others who do not
agree with you.

No matter Anthony, as you say it is my opinion, and a defendable one.

It seems you have no problem reading the above A-Q sequence, so be it.

Ignoring a polite request is another, if deliberate, with I doubt.
I don't want to condict a usenet conversation that way.

 

[Stefan Berglund]

On Sat, 3 Feb 2007 12:30:21 -0000, "Anthony Jones"

When a 404 error occurs IIS invokes the page designated to handle 404 errors
for the folder in which it occured. When this ASP script is executed the
error code generated and full URL of the requested page is placed in the
query string.

How or where do you find this folder specificity in W2K Server?

 

[Anthony Jones]

On Sat, 3 Feb 2007 12:30:21 -0000, "Anthony Jones"


How or where do you find this folder specificity in W2K Server?

Strictly speaking there isn't one. All properies are specific to the path
including the file name. However you have to jump through hoops to create a
404 handler specific to a file that doesn't actually exist hence the closest
you can get in practical terms is the immediate container of the file.

IIS stores the a set of custom error handlers for a path in a metabase
property 'HttpErrors' which is simply a list of error codes and the pages
that handle them.

Initiailly this property is only actually found in /LM/W3SVC/ all the sites
and folders under the sites inherit this property. Whenever this property
exists in a path down to the file itself the most specific entry is used.

Anthony.